-
-
Notifications
You must be signed in to change notification settings - Fork 4
/
main.tf
143 lines (108 loc) · 3.67 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
data "aws_region" "this" {
}
resource "aws_ami_copy" "latest_amazon_linux" {
name = var.resource_names["prefix"]
description = "Copy of ${local.ami_id}"
source_ami_id = local.ami_id
source_ami_region = data.aws_region.this.name
encrypted = true
kms_key_id = var.kms_key_arn
tags = var.tags
}
resource "aws_security_group" "this" {
name = var.resource_names["prefix"]
description = "Securing the bastion host"
vpc_id = var.vpc_id
tags = var.tags
}
# allow outgoing traffic to the user defined ports
resource "aws_security_group_rule" "egress_open_ports" {
count = length(local.clean_egress_open_tcp_ports)
security_group_id = aws_security_group.this.id
type = "egress"
description = "User defined rule to open the port"
from_port = local.clean_egress_open_tcp_ports[count.index]
to_port = local.clean_egress_open_tcp_ports[count.index]
protocol = "tcp"
# tfsec:ignore:aws-vpc-no-public-egress-sgr
cidr_blocks = ["0.0.0.0/0"]
}
# need for SSM connection
resource "aws_security_group_rule" "egress_ssm" {
security_group_id = aws_security_group.this.id
type = "egress"
description = "allow HTTPS traffic"
from_port = 443
to_port = 443
protocol = "tcp"
# bastion host should be able to connect to all HTTPS sites
# tfsec:ignore:aws-vpc-no-public-egress-sgr
cidr_blocks = ["0.0.0.0/0"]
}
module "instance_profile_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
version = "5.44.0"
count = var.instance["profile_name"] != "" ? 0 : 1
role_name = "${var.resource_names["prefix"]}${var.resource_names.separator}profile"
role_description = "Instance profile for the bastion host to be able to connect to the machine"
role_path = var.iam_role_path
create_role = true
create_instance_profile = true
# MFA makes no sense here. It's used for EC2 instances.
role_requires_mfa = false
trusted_role_services = ["ec2.amazonaws.com"]
custom_role_policy_arns = [
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/EC2InstanceConnect",
]
tags = var.tags
}
resource "aws_launch_configuration" "this" {
name_prefix = var.resource_names["prefix"]
image_id = aws_ami_copy.latest_amazon_linux.id
instance_type = var.instance.type
iam_instance_profile = local.bastion_instance_profile_name
security_groups = [aws_security_group.this.id]
root_block_device {
volume_size = var.instance.root_volume_size
volume_type = "gp3"
encrypted = true
delete_on_termination = true
}
# use IMDSv2 to avoid warnings in Security Hub
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 1
}
enable_monitoring = var.instance.enable_monitoring
lifecycle {
create_before_destroy = true
}
}
resource "aws_launch_template" "manual_start" {
name = var.resource_names.prefix
description = "Launches a bastion host"
image_id = aws_ami_copy.latest_amazon_linux.id
instance_type = var.instance.type
vpc_security_group_ids = [aws_security_group.this.id]
update_default_version = true
iam_instance_profile {
name = local.bastion_instance_profile_name
}
monitoring {
# no monitoring for manual instances
enabled = false
}
# use IMDSv2 to avoid warnings in Security Hub
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 1
}
tag_specifications {
resource_type = "instance"
tags = local.bastion_runtime_tags
}
tags = var.tags
}